Presentation is loading. Please wait.

Presentation is loading. Please wait.

Why Cryptosystems Fail?

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Why Cryptosystems Fail?"— Presentation transcript:

1 Why Cryptosystems Fail?
Ross Anderson Presented by Ananth Rajagopala-Rao

2 Motivation Designers of cryptosystems are at a disadvantage as compared to other engineers as they receive no feedback on their systems. Governments, banks and military are very secretive about their mistakes. The emphasis on research in cryptosystems today is misplaced because of this.

3 Case Study – ATM systems
In USA, banks are required to reimburse all disputed transactions unless they can prove a fraud by the customer, as a result banks lose approx. $15,000 a year. In the UK, there have been several accusations of fraud by banks which later turned out to be clerical errors.

4 How ATM fraud takes place
Most cases till 1994 were extremely simple, nobody used any cryptanalysis or other advanced techniques. A design goal of the the ATM system is that any fraud requires the cooperation of a minimum of two persons, most frauds indicate elementary design flaws that violate this goal.

5 How ATM works? The account no and the an offset is stored on the card.
The PIN is a cryptographic function of the a/c number + the offset stored on the card. The management of the keys for this cryptographic function is where a lot of problems arise. If we know the PIN key Given any card we can figure out the PIN. We can forge ATM cards with cheap off the shelf hardware.

6 Problems with encryption products
All hardware that stores important keys must be physically tamper resistant. Of the 10,000 member banks of VISA and Mastercard, only about 1,000 have invested in such hardware. All these security modules are manufactured by IBM, and the IBM manual actually tells how any programmer can recover the keys for debugging purposes!!!

7 Problems with encryption products (cont.)
Key entry into these security modules is through obsolete IBM 3178 serial terminals. The key is usually distributed between two high ranked officials in the bank. These officials are mostly reluctant to use a keyboard, and simple give the key to the technician. Even if they do type it in, they use emulation s/w on the service technicians laptop, which can record the key strokes.

8 Problems with practices of banks
Some banks subcontract their ATM system to ‘facilities management’ firms. No back officials have any idea about the security implications of this. Most keys are exchanged in open correspondence. Some banks place the encryption module inside the branch, and transmit PINs in plaintext to ATMs. Point of sale systems at stores??

9 The threat model is wrong
Designers concentrate on what possible to happen than on what is likely to happen. We overestimate the sophistication of both the users of the cryptosystem as well as that of the attacker. Grossly underestimate “internal” threats. Hangover from military applications, DOD funding, WW II etc. where the entities in question are nations??

Download ppt "Why Cryptosystems Fail?"

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Why Cryptosystems Fail Nick Feamster CS 6262 Spring 2009.

Why Cryptosystems Fail Nick Feamster CS 6262 Spring 2009.
Lecture 9 e-Banking. Introduction The most used methods to pay for a service or merchandise are: –The real money (so called “cash”) –cheque (or check.

Lecture 9 e-Banking. Introduction The most used methods to pay for a service or merchandise are: –The real money (so called “cash”) –cheque (or check.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
ICT at Work Banking and Finance.

ICT at Work Banking and Finance.
Crime and Security in the Networked Economy Part 4.

Crime and Security in the Networked Economy Part 4.
Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN 21st ACM Conference on Computer and Communications.

Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN 21st ACM Conference on Computer and Communications.
Credit Cards. What are Credit Cards? Pre-approved credit which can be used for the purchase of items now and payment of them later.

Credit Cards. What are Credit Cards? Pre-approved credit which can be used for the purchase of items now and payment of them later.
Direct Attacks on Computational Devices

Direct Attacks on Computational Devices
Chapter 10  ATM 1 Automatic Teller Machines. Chapter 10  ATM 2 Automatic Teller Machines  “…one of the most influential technological innovations of.

Chapter 10  ATM 1 Automatic Teller Machines. Chapter 10  ATM 2 Automatic Teller Machines  “…one of the most influential technological innovations of.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
SECURITY Chapter 15 CNS 3660. Crackers malicious computer users Varying intentions and abilities What motivates people to break into computer systems?

SECURITY Chapter 15 CNS Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
Chapter 9 Banking and Book keeping Protecting yourself from you.

Chapter 9 Banking and Book keeping Protecting yourself from you.
Chapter 10 Boundary Controls. Cryptographic Controls Cryptology is the science of secret codes Cryptography deals with systems for transforming data into.

Chapter 10 Boundary Controls. Cryptographic Controls Cryptology is the science of secret codes Cryptography deals with systems for transforming data into.
Why Cryptosystems Fail Ross Anderson Proceeding of the 1 st ACM Conference on Computer and Communications Security, 1993 2010-20784 김학봉.

Why Cryptosystems Fail Ross Anderson Proceeding of the 1 st ACM Conference on Computer and Communications Security, 김학봉.
CMSC 414 Computer and Network Security Lecture 8 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 8 Jonathan Katz.
Why cryptosystems Fail Ross Anderson Proceeding of the 1 st ACM Conference on Computer and Communications Security, 1993 SSR Jiyeon Park.

Why cryptosystems Fail Ross Anderson Proceeding of the 1 st ACM Conference on Computer and Communications Security, 1993 SSR Jiyeon Park.

Similar presentations

Ads by Google